b'           OFFICE OF\n\n    THE INSPECTOR GENERAL\n\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\nPERFORMANCE MEASURE REVIEW:\n RELIABILITY OF THE DATA USED\nTO MEASURE PERSONAL EARNINGS\n     AND BENEFIT ESTIMATE\n    STATEMENT PROCESSING\n\n    MARCH 2000   A-02-99-01011\n\n\n\n\nAUDIT REPORT\n\n\x0c                             Office of the Inspector General\n\nMarch 20, 2000\n\nWilliam A. Halter\nDeputy Commissioner\n of Social Security\n\nInspector General\n\n\nPerformance Measure Review: Reliability of the Data Used to Measure Personal\nEarnings and Benefit Estimate Statement Processing (A-02-99-01011)\n\n\nTo fulfill the responsibilities of our workplan related to performance measurement, we\ncontracted PricewaterhouseCoopers (PwC) to evaluate nine of the Social Security\nAdministration\xe2\x80\x99s (SSA) Fiscal Year 1999 performance indicators that were established\nby SSA to comply with the Government Performance and Results Act.\n\nAttached is a copy of the final report on one of the performance indicators reviewed.\nThe objective of this review was to assess the reliability of the data used to measure\nperformance of the Personal Earnings and Benefit Estimate Statement process.\n\nIn addition to releasing individual reports on the performance indicators reviewed, PwC\nreleased a summary report on all of the indicators reviewed. SSA commented on the\nsummary report, Performance Measure Review: Summary of PricewaterhouseCoopers\xe2\x80\x99,\nLLP Review of the Social Security Administration\'s Performance Data (A-02-00-20024).\nAgency comments to the summary report were provided to us on January 28, 2000.\nThe comments related to the subject of this report are included in Appendix C. PwC\nreformatted the Agency comments to align them with the firm\'s recommendations\npresented in the final report. Nonetheless, SSA\'s comments were not changed during\nthe reformatting process.\n\nYou do not need to respond to this report, since you are responding to the same\ncomments attached to PwC\xe2\x80\x99s summary report. If you wish to discuss the final report,\nplease call me or have your staff contact Steven L. Schaefer, Assistant Inspector\nGeneral for Audit, at 410-965-9700.\n\n\n\n                                                James G. Huse, Jr.\n\nAttachment\n\x0cEvaluation of Selected Performance\n\nMeasures of the Social Security\n\nAdministration:\n\nReliability of the Data Used to\n\nMeasure Personal Earnings and\n\nBenefit Estimate Statement Processing\n\nOffice of the Inspector General\nSocial Security Administration\n\n\nAgency comments to this report were provided to us on January 28, 2000. Many of the\nrecommendations made in this report are also found in earlier financial statement audit\nreports. In Appendix C, the Agency notes in its comments, \xe2\x80\x9cSince we are already taking\ncorrective actions for those that we accepted as valid, we will not be addressing the\nduplicate recommendations in this response.\xe2\x80\x9d\n\nFor the reader to be fully aware of SSA\xe2\x80\x99s comments that were made to each of the\nduplicate recommendations found in this present report, we incorporated those Agency\ncomments, that were made contemporaneous to the earlier audit report recommendations,\nas part of the Agency comments located at Appendix C of this report.\n\n\n\n\nA-02-99-01011                                                 February 18, 2000\n\x0c                         Table of Contents\n\n\nPerformance Measures Evaluation\n\n Introduction                                    1\n\n Results of Engagement                           2\n\n Other Matters                                   10\n\nAppendix A: Background                           A1\n\nAppendix B: Scope and Methodology                B1\n\nAppendix C: Agency Comments and PwC Response     C1\n\nAppendix D: Performance Measure Summary Sheets   D1\n\nAppendix E: Performance Measure Process Maps     E1\n\x0cINTRODUCTION\n\nThe Government Performance and Results Act (GPRA), Public Law Number 103-62,\n107 Statute 285 (1993), requires the Social Security Administration (SSA) to develop\nperformance indicators for fiscal year (FY) 1999 that assess the relevant service levels\nand outcomes of each program\'s activity. GPRA also calls for a description of the\nmeans employed to verify and validate the measured values used to report on program\nperformance. SSA has stated that the Office of the Inspector General (OIG) plays a\nvital role in evaluating the data used to measure performance. The OIG contracted\nPricewaterhouseCoopers (PwC) to evaluate the following GPRA performance\nindicator(s):\n\n1.\t Percent of OASI claims processed by the time the first regular payment is due,\n    or within 14 days from effective filing date, if later\n2. OASI claims processed\n3. Percent of initial SSI aged claims processed within 14 days of filing\n4. SSI aged claims processed\n5. Representative Payee Actions\n6. SSN requests processed\n7. Annual earnings items\n8. Percent of earnings posted to individuals\xe2\x80\x99 records by September 30\n9. Percentage of individuals issued SSA-Initiated PEBES as required by law\n\nTo evaluate the nine SSA performance indicators established by SSA to comply with\nGPRA, PwC was contracted to:\n\n\xe2\x80\xa2\t Gain an understanding and document the current FY 1999system sources from\n   which data is collected to report on the specified performance measures;\n\xe2\x80\xa2\t Identify and test critical controls (both electronic data processing (EDP) and manual)\n   of current FY 1999 systems from which the specified performance data is generated;\n\xe2\x80\xa2\t Test the accuracy of the underlying FY 1998 data for each of the specified\n   performance measures;\n\xe2\x80\xa2 Recalculate each specific FY 1998 measure to ascertain its mathematical accuracy;\n\xe2\x80\xa2\t Evaluate the impact of any relevant findings from prior and current audits with\n   respect to SSA\'s ability to meet performance measure objectives; and\n\xe2\x80\xa2\t Identify findings relative to the above procedures and make suggestions for\n   improvement.\n\nThis is one of six separate stand-alone reports, corresponding to the following SSA\nprocess, performance measure (PM), and Contract Identification Number (CIN):\n\n      Processing of SIPEBES (PM #9)                   A-02-99-01011\n\nThis report reflects our understanding and evaluation of the processing of SIPEBES\nprocess. The report is organized in the following manner. The next section titled\n"Results of Engagement" identifies our findings and explains their relevance to SSA\n\n\n                                            1\n\n\x0cperformance measurement. It also provides recommendations and suggestions for\nimprovement. The subsequent "Other Matters" section discusses the relevance of each\nperformance measure with respect to GPRA. All other information is contained in the\nappendices, as follows:\n\nAPPENDIX A \xe2\x80\x93 Background\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 Performance Measure Summary Sheets\nAPPENDIX E \xe2\x80\x93 Performance Measure Process Maps\n\n\nRESULTS OF ENGAGEMENT\n\nDuring the period of June 9, 1999 to October 1, 1999, we evaluated the current\nprocesses, systems and controls, which support the FY 1999 SSA performance\nmeasurement process. In addition, we determined the accuracy of the underlying\nperformance measure data. Since FY 1999 data were not always available, we often\nused FY 1998 data to perform our testing. Although SSA was not required to comply\nwith GPRA until FY 1999, they voluntarily reported results in the FY 1998 Accountability\nReport for Processing of SIPEBES1. As a result, we were able to use our knowledge of\ncurrent processes, systems, and controls to judge the accuracy of the performance\nmeasures based on the FY 1998 results.\n\nOur evaluation allowed us to determine that the reported FY 1998 result of the\nperformance measure tested (as itemized below) was reasonably stated.\n\n    Performance Measure                                    Reported Result\n    9.\t Percentage of individuals issued SSA-Initiated PEBES\n        as required by law                                          100%\n\nHowever, we did note the following seven opportunities for improvement, listed in order\nof their relative importance:\n\n1.\t SSA lacks sufficient performance measure process documentation and did not retain\n    documents to support the FY 1998 amounts\n2. SSA has a number of data integrity deficiencies\n3. SSA\'s system environment has security deficiencies\n4.\t GPRA documents prepared for external evaluation of SSA performance do not\n    clearly indicate the sources or uses of the performance measures\n5. SSA did not calculate the performance measure as it is defined\n\n1\n  On September 25, 1999 SSA implemented a new system, PEBES 2000, for processing\nSIPEBES. We did not evaluate this system because it was not active during the time of our\nreview.\n\n\n                                              2\n\n\x0c6. SSA has systems design and documentation deficiencies\n7. SSA has a number of deficiencies in their systems contingency plan\n\nAdditionally, we evaluated the appropriateness of the nine performance measures with\nrespect to the future requirements of GPRA. As a result, we noted three areas in which\nSSA could better prepare itself to incorporate the final phases of GPRA in their\nprocesses. These results are discussed below in the Other Matters section.\n\nThese items were noted as a result of our testing the underlying performance measure\ndata, as well as the EDP and manual controls of the systems generating the\nperformance measure data, and are discussed in detail below.\n\nThroughout our evaluation of the nine performance measures, we noted the strong\ncommitment of SSA\'s staff to correctly implement GPRA.\n\n\n\n1.\t   SSA lacks sufficient performance measure process documentation and did\n      not retain documents to support the FY 1998 amounts\n\nGPRA requires that agencies "describe the means to be used to verify and validate\nmeasured values." Furthermore, the Office of Management and Budget (OMB) Circular\nNo. A-123, Internal Control Systems, requires that "documentation for transactions,\nmanagement controls, and other significant events must be clear and readily available\nfor examination." Finally, National Institute of Standards and Technology (NIST) Special\nPublication 800-18, 5.MA.7, requires that system documentation be maintained as part\nof a formalized security and operational procedures record. Therefore, agencies must\nestablish a clear methodology for verifying performance measure values, and retain the\nappropriate documentation to enable an audit of their performance measure values\nbased on the methodology. Although this requirement was not effective for the FY 1998\nAccountability Report, it is effective beginning in FY 1999.\n\nWhile general policies and procedures exist for all documents produced at SSA (as\nfound in the SSA Administrative Instructions Manual System/Operational and\nAdministrative Record Schedules), SSA does not have formal policies and procedures\nin place regarding the retention of performance measure documentation. During\ntesting, we noted that SSA lacked sufficient documentation regarding the processes\nsurrounding the accumulation and generation of performance indicator data.\nFurthermore, SSA could not consistently provide the documentation necessary to verify\ntheir performance measure values as reported in their FY 1998 Accountability Report.\n\nSpecifically, we noted that SSA was unable to provide a comprehensive process map\ndocumenting the flow of performance measure data from the selection of current\nPersonal Earnings and Benefit Estimate Statements (PEBES) recipients by the\nNUMIDENT, through the Generalized Earnings Statement System (GESS, the system\nof record), to the accumulation of yearly performance measure data in Management\n\n\n                                           3\n\n\x0cInformation PEBES (MIPEBES). Furthermore, the performance measure count per the\nGESS Report did not trace to the information in the PSIWO1 Report. (Note: the\nPSIWO1 Report is a product of MIPEBES, and represents the final accumulation of\nperformance measure data. The data is posted on SSA\'s intranet by the Office of\nInformation Management. The relevant performance measure data is then obtained\nfrom the intranet for inclusion in the Accountability Report.)\n\nIf SSA does not establish a methodology for verifying performance measure values and\ninstitute an adequate document retention system, they will not be in compliance with\nGPRA. Furthermore, a significant lack of documentation does not provide a proper\naudit trail to facilitate verification of the performance measures as required by GPRA.\n\nRecommendations:\nWe recommend that SSA expand the role of Office of Strategic Management (OSM)\nwith respect to performance measures or place ownership for the performance measure\nprocess and reporting within an organizational unit. In either case, data ownership\nwould still remain with the user organizations. However, an organizational unit should\nbe accountable for the overall performance measure processes and results. Their\ncharter should include the following responsibilities:\n\n\xe2\x80\xa2\t Identify and document the processes surrounding the generation and accumulation\n   of performance measure values. This would establish a clear method for verifying\n   and validating the performance measures\n\n\xe2\x80\xa2\t Establish policies and procedures surrounding the retention of performance measure\n   documentation. The documentation retained should allow for the timely verification\n   of the performance measure values, and should be maintained for at least one year\n\n\xe2\x80\xa2\t As new systems are developed, evaluate their potential impact on the accumulation\n   of performance measure data. Systems with potential impact should be designed to\n   include the means of producing a verifiable audit trail to validate the performance\n   measure results as they are defined in the Accountability Report\n\n\n2.    SSA has a number of data integrity deficiencies\n\nOMB Circular No. A-127, Financial Management Systems, requires that a Federal\nAgency\'s systems include a system of internal controls to ensure that the data used to\nproduce reports is reliable. During our FY 1999 Financial Audit, we noted a number of\ndata integrity deficiencies that result in a lack of control over both the input and\nmaintenance of data, as well as the resolution of suspense items. While an adverse\neffect upon performance measure data was not observed during our testing, this lack of\ncontrolcan affect the validity and completeness of the performance measures as\nfollows:\n\n\xe2\x80\xa2\t When DACUS (Death, Alert, and Control Update System) receives death information\n   and compares it to SSA\xe2\x80\x99s NUMIDENT, MBR, SSR, and Black Lung databases\n\n\n                                           4\n\n\x0c   without a successful match, the record is posted to the DACUS exception file.\n   However, no subsequent follow-up is performed on items in this exception file to try\n   to resolve any matches that may not have been detected based on the automated\n   matching algorithm. While this data may not have a direct effect on the performance\n   measures (#1, #2, #3, #4, #5, and #9), a noted lack of data verification in these\n   databases indicates the possibility that other data lacks integrity\n\n\xe2\x80\xa2\t SSA\xe2\x80\x99s current practice of obtaining death data does not ensure that this data is\n   entered into DACUS accurately, timely, and only once (affects the NUMIDENT,\n   MBR, and SSR). While this data may not have a direct effect on the performance\n   measures (#1, #2, #3, #4, #5, and #9), a noted lack of data verification in these\n   databases indicates the possibility that other data lacks integrity\n\n\xe2\x80\xa2\t A comparison of the MBR, SSR, and NUMIDENT identified a large number of cases\n   where either the individual was alive and in current pay status on the MBR/SSR but\n   listed as dead on the NUMIDENT, or the corresponding records of a given individual\n   had significant differences in dates of death. While this data may not have a direct\n   effect on the performance measures (#1, #2, #3, #4, #5, and #9), a noted lack of\n   data verification in these databases indicates the possibility that other data lacks\n   integrity\n\n\xe2\x80\xa2\t A comparison of the MBR, SSR, and NUMIDENT identified a large number of cases\n   where the corresponding records of a given individual had significant differences in\n   dates of birth. While this data may not have a direct effect on the performance\n   measures (#1, #2, #3, #4, #5, and #9), a noted lack of data verification in these\n   databases indicates the possibility that other data lacks integrity\n\nRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend the following:\n\n\xe2\x80\xa2\t SSA should develop policies and procedures for the resolution of unmatched items\n   in DACUS and establish a work group with primary responsibility for resolution. One\n   of the duties of this group should be to analyze patterns in exceptions and facilitate\n   the implementation of changes to the automated matching algorithm to make it more\n   effective\n\n\xe2\x80\xa2\t SSA should implement: 1) initiatives to reduce the amount of time required by\n   outside sources for submitting death notifications, such as the electronic death\n   certificate project currently being tested; and, 2) a method to prevent the submission\n   or receipt of duplicate information, whether submitted from the same or different\n   sources (DACUS, NUMIDENT, MBR, SSR)\n\n\xe2\x80\xa2\t With the completion of the Year 2000 project in FY2000, SSA should begin\n   implementation of DACUS Release 2 (a high priority of SSA\xe2\x80\x99s five-year IRM plan), to\n   provide functionality to automatically delete NUMIDENT death postings when a\n   person is \xe2\x80\x9cresurrected\xe2\x80\x9d on the MBR and SSR (NUMIDENT, MBR, SSR)\n\n\n                                            5\n\n\x0c\xe2\x80\xa2\t SSA should firm up plans to implement the ICDB R2 functionality for the SSI system\n     (SSR) to provide updated (substantiated) date of birth information to the NUMIDENT\n     (NUMIDENT, MBR, SSR)\n\n\n3.      SSA\'s system environment has security deficiencies\n\nWe noted in our FY 1999 Financial Audit that SSA\xe2\x80\x99s systems environment remains\nthreatened by weaknesses in several components of its information protection internal\ncontrol structure. Because disclosure of detailed information about these weaknesses\nmight further compromise controls, we are providing no further details here. Instead,\nthe specifics are presented in a separate, limited-distribution management letter, dated\nNovember 18, 1999. The general areas where weaknesses were noted are:\n\n\xe2\x80\xa2\t The entity-wide security program and associated weaknesses in developing,\n   implementing and monitoring local area network (LAN) and distributed systems\n   security;\n\n\xe2\x80\xa2    SSA\xe2\x80\x99s mainframe computer security and operating system configuration;\n\n\xe2\x80\xa2    Physical access controls at non-headquarter locations; and\n\n\xe2\x80\xa2\t Certification and accreditation of certain general support and major application\n   systems.\n\nUntil corrected, these weaknesses will continue to increase the risks of unauthorized\naccess to, and modification or disclosure of, sensitive SSA information. While these\nweaknesses do not directly affect the performance measures, a risk still exists.\nUnauthorized access to sensitive data can result in the loss of data associated with\nSSA\xe2\x80\x99s enumeration, earnings, retirement, and disability processes and programs, thus\naffecting all performance measures.\n\nRecommendations:\nAs previously reported in the FY 1999 Accountability Report, we recommend that SSA\naccelerate and build on its progress to enhance information protection by further\nstrengthening its entity-wide security as it relates to implementation of physical and\ntechnical computer security mechanisms and controls throughout the organization. In\ngeneral, we recommend that SSA:\n\n\xe2\x80\xa2    Reevaluate its overall organization-wide security architecture;\n\n\xe2\x80\xa2\t Reassess the security roles and responsibilities throughout the organization\xe2\x80\x99s central\n   and regional office components;\n\n\xe2\x80\xa2\t Assure that the appropriate level of trained resources are in place to develop,\n   implement and monitor the SSA security program;\n\n\n                                              6\n\n\x0c\xe2\x80\xa2\t Enhance and institutionalize an entity-wide security program that facilitates\n   strengthening of LAN and distributed systems\xe2\x80\x99 security;\n\n\xe2\x80\xa2     Review and certify system access for all users;\n\n\xe2\x80\xa2\t Enhance procedures for removing system access when employees are transferred\n   or leave the agency;\n\n\xe2\x80\xa2     Decrease vulnerabilities in the mainframe operating system configuration;\n\n\xe2\x80\xa2     Implement the mainframe monitoring process;\n\n\xe2\x80\xa2     Finalize accreditation and certification of systems;\n\n\xe2\x80\xa2\t Develop and implement an ongoing entity-wide information security compliance\n   program; and\n\n\xe2\x80\xa2     Strengthen physical access controls at non-headquarters sites.\n\nMore specific recommendations are included in a separate, limited-distribution\nmanagement letter, dated November 18, 1999.\n\n\n4.\t      GPRA documents prepared for external evaluation of SSA performance\n         could better document the sources of the performance measures\n\nSince FY 1999,OMB circular A-11, Preparation and Submission of Strategic Plans,\nAnnual Performance Plans, and Annual Program Performance Reports, states that "the\nannual plan must include an identification of the means the agency will use to verify and\nvalidate the measured performance values." This suggests that an agency should detail\nthe source of performance data. SSA\'s documents prepared for external reporting,\nincluding the 1997-2002 Strategic Plan, the FY 2000 Annual Performance Plan, and the\nFY 1998 Annual Accountability Report, could better document the SSA sources used to\nobtain the performance measures we evaluated.\n\nIn the case of three performance measures, the FY 2000 Annual Performance Plan, the\nmost recent document at the time of this evaluation, does list a data source for\nPerformance Measure #1 as "The End-of-Line Processing Report," a data source for\nPerformance Measure #3 as "The Title XVI Processing Time System," and a data\nsource for Performance Measure #8 as the "Earnings Posted Overall Cross Total/Year\nto Date System (EPOXY)." However, the external stakeholder is not told of the origin of\nthese documents or of the underlying processes and programmatic systems that\nproduce the reported metrics. Furthermore, the sources of the other six measures are\nnot clearly indicated.\n\n\n\n\n                                                7\n\n\x0cAll nine metrics are referred to in the SSA documentation as GPRA indicators. As a\nresult, OMB Circular A-11, Section 220.12, requires that they be documented. By\nimproving the description of the sources, SSA would enhance the credibility of the\nunderlying data used to formulate each performance measure.\n\nRecommendation:\nWe recommend that SSA develop clear and concise descriptions of each performance\nmeasure\'s source. As specifically recommended by OMB Circular A-11, these\ndescriptions should include:\n\n\xe2\x80\xa2\t The current existence of relevant baseline data, including the time-span covered by\n   trend data;\n\xe2\x80\xa2 The expected use of existing agency systems in the collection and reporting of data;\n\xe2\x80\xa2 The source of the measured data;\n\xe2\x80\xa2\t Any expected reliance on an external source(s) for data, and identification of the\n   source(s); and\n\xe2\x80\xa2\t Any changes or improvements being made to existing data collection and reporting\n   systems or processes to modify, improve, or expand their capability.\n\n\n5.    SSA did not calculate the performance measure as it is defined\n\nGPRA requires Federal agencies to "establish performance goals to define the level of\nperformance to be achieved,\xe2\x80\xa6to express such goals in an objective, quantifiable, and\nmeasurable form,\xe2\x80\xa6(and to) describe the means to be used to verify and validate\nmeasured values." Agencies must clearly define the components of each performance\nmeasure so that it reflects the intent of the established goal, and so that the\nperformance measures can be validated.\n\nSSA defines the measure as the number of SIPEBES sent divided by the number of\nSIPEBES required to be sent by law. The calculation is performed by dividing the\nnumber of SIPEBES sent by itself, as SSA always mails all SIPEBES required by law.\nThe number required to be sent by law does not include certain individuals, including\nthose with invalid addresses and those who initiated their own PEBES during the\ncurrent fiscal year. The number required by law does include individuals with \'bad\nhistory\' records, as determined by the Office of Information Management (OIM). \'Bad\nhistory\' records contain inaccurate data fields such as sex, process type, language, or\nage. This inaccurate data does not prevent an individual from receiving a SIPEBES,\nand they are included in the count of SIPEBES sent to OIM by the Office of Systems\nDesign and Development (OSDD). However, we determined that OIM removed\nindividuals from the count they receive based on \'bad history\' records, reducing the\nSIPEBES count.\n\nAlthough the \'bad history\' record count does not affect the performance measure\npercentage, it affects the number used to calculate the measure. Furthermore, the\n\n\n\n\n                                            8\n\n\x0cindividuals with \'bad history\' records have received a SIPEBES, and by definition,\nshould be included in the total count.\n\nRecommendations:\nWe recommend that SSA include the \'bad history\' records in the SIPEBES count within\nOIM report.\n\n\n6.     SSA has systems design and documentation deficiencies\n\nAs a result of our FY 1999 financial audit, we noted specific systems design and\ndocumentation deficiencies that indicate a lack of control over both the system design\nand documentation. While these deficiencies do not have a direct effect on the\nperformance measures, a risk still exists. This lack of control affects the ability of SSA\nto effectively design, implement, and use their computer systems. If SSA is not\neffectively using their computer systems to accumulate and calculate performance\nmeasures, the resulting performance measure amounts could be affected. Our specific\nfindings were:\n\n\xe2\x80\xa2\t Full documentation of program changes evidencing user approval and testing was\n   not always maintained. In addition, user initiation of changes to production\n   programs could not be confirmed due to the absence of documentation indicating\n   who initiated the changes;\n\n\xe2\x80\xa2\t Software Engineering Technology (SET) did not establish different requirements for\n   major development projects, routine maintenance, and cyclical changes; and\n\n\xe2\x80\xa2\t SSA\xe2\x80\x99s System Security Handbook (Chapter 10 on Systems Access Security) does\n   not list all of the acceptable forms for granting access to SSA\xe2\x80\x99s computerized\n   systems and data.\n\nRecommendations:\nWe recommend the following:\n\n\xe2\x80\xa2\t SSA should complete implementation of it\'s Validation Transaction Tracking System\n   (VTTS) and continue with its plan to automate the process for submitting System\n   Release Certification (SRC) forms\n\n\xe2\x80\xa2\t SSA should complete implementation of Platinum\'s Process Engineering Tool (PET)\n   and institutionalize Carnegie Mellon\'s Software Engineering Institute\'s Capability\n   Maturity Model (CMM) methodology\n\n\xe2\x80\xa2\t SSA should update its System Security Handbook (Chapter 10 on Systems Access\n   Security) to address all of the acceptable forms for granting access to SSA\xe2\x80\x99s\n   computer systems and data\n\n\n\n                                            9\n\n\x0c7.      SSA has a number of deficiencies in their systems contingency plan\n\nDuring our FY 1999 Financial Audit, we noted a number of deficiencies which, in our\nview, would impair SSA\xe2\x80\x99s ability to respond effectively to a disruption in business\noperations as a result of a disaster or other long-term crisis. Although SSA has\nperformed a Business Impact Analysis, its list of critical workloads is still being finalized,\nand recovery time objectives (RTOs) have not yet been established for each of the\ncritical workloads. Consequently, SSA has not established recovery priorities for all of\nits systems in the mainframe and distributed environments. Further, the plan for\nrecovering the critical workloads still needs to be fully tested. Finally, SSA has not fully\nupdated the contingency plans for the headquarters site or finalized and tested\ncontingency plans for non-headquarters sites.\n\nWhile deficiencies in a contingency plan does not directly affect performance measures,\na risk still exists. A failure to respond effectively to a disruption through proven recovery\nprocedures could affect both the quality and quantity of data used in the accumulation\nand calculation of all performance measures.\n\nRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend that SSA:\n\n\xe2\x80\xa2\t Finalize the list of critical SSA workloads and fully test the plans for recovering each\n   workload;\n\n\xe2\x80\xa2    Establish RTOs for each critical workload;\n\n\xe2\x80\xa2\t Establish recovery priorities for all systems and applications (mainframe and\n   distributed);\n\n\xe2\x80\xa2    Update contingency plans for headquarters;\n\n\xe2\x80\xa2\t Finalize and test SSA\xe2\x80\x99s ultimate strategy for implementing and maintaining alternate\n   processing facilities; and\n\n\xe2\x80\xa2    Finalize and test contingency plans for non-headquarters sites.\n\n\n\nOTHER MATTERS\nAs part of this evaluation, PwC was tasked to evaluate the appropriateness of the\nperformance measures. In this section, we discuss the relevance of each performance\nmeasure with respect to GPRA and look to the future by evaluating SSA\'s readiness to\nincorporate the final phases of GPRA into their processes.\n\n\n\n\n                                              10\n\n\x0c1.\t      Documents prepared for external evaluation of SSA performance could be\n         improved to clearly explain the intended uses of the performance measures\n         to comply with future GPRA requirements\n\nThe United States General Accounting Office (GAO) encourages agencies to "include\nexplanatory information on the goals and measures." 2 In addition, best practices in\nperformance measurement dictate that agencies should provide external stakeholders\nwith such information. Furthermore, it can be expected that agencies will be required to\nprovide such information in the near future as GPRA continues to evolve.\n\nOver the past few years, SSA has continuously improved their performance planning\ndocuments by adding in-depth discussions on their strategies and key performance\nindicators. With respect to the performance metrics studied as part of this evaluation,\nhowever, the 1997-2002 Strategic Plan, the FY 2000 Performance Plan, and the FY\n1998 Annual Accountability Report do not clearly explain the intended purpose of each\nperformance measure with respect to evaluating overall SSA performance. In each\ncase, the documents clearly associate each metric with the strategic goals and\nobjectives that they support, but they do not explain to the external stakeholder exactly\nhow they are applied.\n\nDescribing the use of these performance measures would help to clarigy the overall\nobjectives of the SSA strategic planning process and would clarify how the subject\nmetrics fit into that process.\n\nIn a July 1999 report3, the General Accounting Office (GAO) rated Fiscal Year 2000\nAnnual Performance Plans of all federal agencies in three key elements of \xe2\x80\x9cinformative\nperformance plans:\xe2\x80\x9d\n\n1. Clear pictures of intended performance\n2. Specific discussion of strategies and resources\n3. Confidence that performance information will be credible\n\nAlthough SSA was considered relatively strong as compared to most other agencies,\ntheir weakest ratings were received for the categories of "Degree of Confidence that\nPerformance Information will be Credible" and "Specificity of Strategic Resources." Our\nobservations were consistent with these findings (see Item #5 in previous section,\nResults of Engagement). However, if SSA develops clear and concise descriptions of\neach performance measure\'s source and its intended strategic use, we believe they can\nbolster their future GAO ratings relative to informative performance plans.\n\n2.\t      The nine performance measures are not explicit performance budgeting\n         metrics, but are nonetheless appropriate internal performance indicators\n         and are useful to the SSA strategic planning process\n\n\n2\n    GAO/GGD/AIMD-99-69, "Agency Performance Plans"\n3\n    GAO/GGD/AIMD-99-215, July 1999.\n\n\n                                            11\n\n\x0cAn important intent of GPRA in the future is to facilitate performance budgeting, which\nwill allow Federal agencies to allocate resources in an effort to achieve "optimal" results.\nConsequently, agencies must develop measures that will help external stakeholders\nsuch as Congress to match resources to performance.\n\nUnder GPRA requirements, an agency must rely on two distinctive types of measures:\n\n       Outcome performance measures. These measures are intended to gauge the\n       effectiveness of the organization at fulfilling its strategic goals. Often, however,\n       these performance measures are not completely under the span of influence of\n       the organization. Consequently, while they represent good measures of the\n       accomplishment of a strategic goal, they do not reflect the success of an\n       organization in contributing to the achievement of the goal.\n\n       Workload and output performance measures.4 These measures are used to\n       gauge the level of effort required for a given activity, including characteristics\n       established as performance standards (e.g., Percent of OASI claims processed\n       by the time the first regular payment is due or within 14 days from effective filing\n       date, if later).\n\nWhile outcome performance measures are often more accurate indicators of the\nsuccess or failure of an organization\'s strategic goals, it is workload and output\nmeasures that fall under an organization\'s span of influence. Consequently, workload\nand output measures are more often used in external reporting to support organizational\nactivities. However, these workload and output performance measures are seldom\nrelated to either outcomes or amount of resources spent processing the workload or\ncreating the output. As a result, they represent little value to external stakeholders\nmaking resource allocation decisions.\n\nIf viewed in isolation, none of the nine performance measures considered on this project\nwould suffice as explicit outcome performance measures for external stakeholders to\nuse in a resource allocation or performance budgeting oversight role. However, that is\nnot to say that these measures are not of value. In fact, they indicate to external\nstakeholders, including congressional appropriators, customers, policy makers, and the\ngeneral public, how effective SSA is at fulfilling its overall mission. More importantly,\nthey serve a useful internal purpose in the SSA performance planning process. For\nexample, many of the measures we analyzed (Performance Measures 2, 4, 5, 6, and 7)\nare workload counts, which are important for individual program managers when\nmaking management decisions.\n\n       Performance Measure #9. The SSA Strategic Plan (1997 to 2002), the FY 1998\n       Accountability Report, and the FY 2000 Annual Performance Plan all consistently\n       position this metric in support of the goal "to strengthen public understanding of\n\n4\n  The SSA documentation refers to such metrics strictly as outputs, but that is merely a matter of\nsemantics. In either case, they refer to a level of effort for a given activity.\n\n\n                                                12\n\n\x0c       Social Security programs." The FY 2000 Annual Performance Plan does list a\n       data source as "the PEBES weekly summary report."\n\n       Of the nine performance measures we evaluated, this measure, the Percent of\n       individuals issued SSA Initiated PEBES as required by law, comes the closest to\n       being an external performance measure because it specifies an external\n       outcome. It falls short, however, in that it does not describe how resources are\n       utilized to achieve that outcome.\n\n       Nevertheless, this measure is most likely useful to SSA as an internal indicator,\n       particularly with respect to the strategic goals and objectives it supports. There is\n       concern within SSA that this measure serves little purpose because they always\n       score 100%. However, SSA faces greater challenges with SIPEBES over the\n       next few years because the annual number of recipients will dramatically\n       increase. Therefore, this measure is worth keeping as a metric to gauge future\n       progress.\n\nTo SSA\'s credit, they have developed a number of useful performance measures in the\nspirit of GPRA and have discussed them in proper detail in the FY 2000 Performance\nPlan. 5 As we have shown, the nine performance measures covered by this project can\nnot be considered as true high-level, external measures. Nevertheless, they do appear\nto have specific uses, as discussed above. Again, SSA would benefit the external\nstakeholder by clarifying exactly what these intended uses are (see \xe2\x80\x9cOther Matters\xe2\x80\x9d item\n#1).\n\n3.\t    SSA is positioned to be a leading performance-based budgeting\n       organization and to meet the future requirements of GPRA\n\nSince 1988, SSA has an established history of strategic planning, using specific\nperformance measurements. Building on this history, SSA implemented GPRA\'s\nrequirements for strategic planning, performance planning, and performance reporting.\nOne of GPRA\'s ultimate objectives is to facilitate performance budgeting, which will\nallow Federal agencies to allocate resources in an effort to achieve "optimal" results.\nConsequently, to help external stakeholders such as Congress match resources to\nperformance, agencies must eventually develop performance measures that are linked\nto resource requirements.\n\nPerformance budgeting is the analysis of performance measurement data for the\npurpose of allocating budgetary resources more effectively. Specifically, performance\nbudgeting for GPRA is complete upon the submission of multiple resource-to-result\nscenarios within one annual budget.\n\n5\n  In earlier documents, such as the FY 1998 Accountability Report, SSA presented the\nperformance measures in a manner that seemed to give each one equal weight. In the more\nrecent documents, however, SSA has placed greater emphasis on the more high-level, outcome\noriented performance measures.\n\n\n                                            13\n\n\x0cThe final stage of GPRA implementation is the successful piloting of performance\nbudgeting at no less than five federal agencies. Currently, few federal agencies are\ncapable of acting as a performance budgeting pilot and this final stage of GPRA has\nconsequently been delayed. However, the Office of Management and Budget (OMB)\nhas recently designated SSA as one of the government-wide performance budgeting\npilot projects. Within SSA, the Continuing Disability Reviews program is the specific\nactivity covered by this designation. OMB considers the performance budgeting pilot\nprojects to be an opportunity to examine the feasibility and potential application of\nseveral approaches to performance budgeting. In this context, OMB intends to use\nperformance and resource data provided by the pilots during development of the FY\n2001 budget and to report to Congress on the results of the pilots no later than March\n31, 2001, as required by GPRA. With proper planning and preparation, SSA is uniquely\npositioned to be one of the first truly successful performance-based budgeting\norganizations.\n\nIn anticipation of the next phase of GPRA, we believe SSA needs to develop a suitable\nperformance budgetary model by combining cost accounting concepts with performance\nmeasurement methodology. A high-level description of one possible model is listed\nbelow:\n\n\xe2\x80\xa2 SSA defines a set of reporting segments that represent all of their work.\n\xe2\x80\xa2 SSA maps their performance measurements to these specific reporting segments.\n\xe2\x80\xa2\t SSA calculates person-hours associated with these reporting segments, so that all\n   personnel within SSA are accounted for in the model.\n\xe2\x80\xa2\t SSA builds the model around this data to allow for current resource to\n   workload/result analysis and future resource to workload/result forecasting.\n\nSSA could build this model at any level of detail: by resource type, resource location, or\nany other classification methodology. By linking resources to performance goals at this\nlevel of detail, SSA would thus satisfy the annual performance-planning requirement for\nspecificity of strategies and resources, while striving to become the first agency to\nsuccessfully implement performance budgeting.\n\n\n\n\n                                            14\n\n\x0c                           APPENDICES\n\n\nAPPENDIX A \xe2\x80\x93 Background\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Agency Comments\n\nAPPENDIX D \xe2\x80\x93 Performance Measure Summary Sheets\n\nAPPENDIX E \xe2\x80\x93 Performance Measure Process Maps\n\n\x0c                                                                              Appendix A\n\n                             BACKGROUND\n\nGovernment Performance and Results Act\n\nThe Government Performance and Results Act (GPRA) was enacted to increase\naccountability in the Federal agencies. Prior to GPRA, Federal agencies lacked well-\ndefined program goals and adequate feedback regarding program performance. This\nhindered Federal agencies in their efforts to increase program efficiency and\neffectiveness, and prevented them from being accountable. Furthermore, this lack of\naccountability on the part of the Federal managers prevented Congress from making\ninformed budgetary decisions. In order to increase accountability, GPRA required\nFederal agencies to develop 5-year strategic plans, annual performance plans, and\nannual performance reports.\n\n Strategic plans define an agency\'s mission in terms of their major functions and\noperations. The agency\'s goals and objectives, and how they will be achieved by the\nagency, must be included in their strategic plan. The strategic plan also describes the\nquantifiable performance measures to be used by the agency, and how they relate to\nthe agency\'s goals and objectives.\n\nAnnual performance plans establish objective, quantifiable, and measurable\nperformance goals for an agency. These plans also describe the operational processes\nand resources necessary to meet the performance goals, establish performance\nindicators to measure the relevant outcomes, and provide a basis for comparing the\noutcomes with the performance goals. The annual performance plans also provide a\nmeans to validate and verify the measured outcomes.\n\nAnnual performance reports compare the actual program performance achieved with\nthe performance goals for each performance indicator defined in the agency\'s annual\nperformance plan. These reports contain the agency\'s evaluation of their performance\nplan relative to the performance achieved during the fiscal year. If performance goals\nhave not been met, the agency must include an explanation, as well as a plan for\nachieving the performance goals in the future. Alternatively, if the agency believes the\ngoals are impractical, they would include their rationale and recommended alternatives\nin the annual performance report.\n\nSSA\'s Performance Measures\n\nThe Social Security Administration (SSA) defined five strategic goals in it\'s FY 1998-\n2002 strategic plan, Keeping the Promises:\n\n1.\t Promote valued, strong, and responsive social security programs and conduct\n    effective policy development, research, and program evaluation\n\n\n                                           A-1\n\n\x0c2. Deliver customer-responsive, world-class service\n3.\t Make SSA program management the best in the business, with zero tolerance for\n    fraud and abuse\n4. Be an employer that values and invests in each employee\n5. Strengthen public understanding of the social security programs\n\nFor each strategic goal, SSA\'s strategic plan also defined specific objectives to achieve\neach of the goals.\n\nSSA\'s FY 1998 annual GPRA performance report, published as part of their FY 1998\nAccountability Report, includes actual performance data and goals for 57 performance\nmeasures. PricewaterhouseCoopers was engaged to evaluate nine specific\nperformance indicators found in SSA\'s FY 1998 Accountability Report. The\nperformance indicators (or performance measures, as they are referred to in the\nAccountability Report) are as follows:\n\n1.\t Percent of OASI claims processed by the time the first regular payment is due or\n    within 14 days from effective filing date, if later\n2. OASI claims processed\n3. Percent of initial SSI aged claims processed within 14 days of filing\n4. SSI aged claims processed\n5. Representative payee actions\n6. SSN requests processed\n7. Annual earnings items\n8. Percent of earnings posted to individuals\xe2\x80\x99 records by September 30\n9. Percent of individuals issued SSA-Initiated PEBES as required by law\n\nDuring testing, it was noted that the nine performance measures could be defined by\nsix distinct processes. The systematic flow of information for three of the measures was\nalmost identical to the flow of information for three other measures. Furthermore, these\ngroupings match those that the OIG has selected for generating their upcoming reports.\nThe six processes are as follows:\n\n1.    RSI claims (performance measures #1 and #2)\n2.    SSI aged claims (performance measures #3 and #4)\n3.    Representative payee actions (performance measure #5)\n4.    SSN requests processed (performance measure #6)\n5.    Annual earnings items (performance measures #7 and #8)\n6.\t   Percent of individuals issued SSA-Initiated PEBES as required by law (performance\n      measure #9)\n\nThis report represents our understanding and evaluation of the processing of SIPEBES\nprocess.\n\nThe SIPEBES process encompasses performance measure #9. Performance measure\n#9, percent of individuals issued SSA-Initiated PEBES as required by law, determines if\n\n\n\n                                           A-2\n\n\x0cSSA is issuing all the SSA-initiated Personal Earnings and Benefit Estimate Statements\n(SIPEBES) they are legally required to issue. The objective is to make 9 out of 10\nAmericans knowledgeable about the Social Security programs in five important areas by\nthe year 2005. The five areas are: the basic program facts, the financial value of\nprograms to individuals, the economic and social impact of the programs, how the\nprograms are financed today, and the financing issues and options. This broad\nobjective relates to the strategic goal to strengthen public understanding of the social\nsecurity programs.\n\nBy law, under Section 1143 of the Social Security Act, SSA is required to annually issue\nSIPEBES to approximately 15 million eligible individuals age 60 and over during FYS\n1996 through 1999 for whom a current mailing address can be determined. SSA\naccelerated its\xe2\x80\x99 mailings and as of March 1999 had exceeded the legislative mandate.\nFor FY 2000, SSA is required to sent SIPEBES annually to all eligible individuals age 25\nand over. Eligible individuals include those individuals who have a valid SSN number,\nare not in benefit status, have earnings on their record, and who live in the US or a US\nTerritory. For Puerto Rico and the Virgin Islands the US has a special arrangement with\nthe tax authorities of these countries to transfer electronically a list with the names and\naddresses of the tax paying residents of the respective countries. The measure\nexcludes those who are deceased or below the stipulated age to receive a SIPEBES,\nRIC \xe2\x80\x98X\xe2\x80\x99 holders (designates an individual who as a child received benefits), individuals\nwho have pending claims, recipients for whom an address cannot be located,\nindividuals who have no earnings posted on the record and individuals who have\nreceived a PEBES within the past fiscal year, either on-request or SSA-initiated.\n\nThis performance measure is presented as a percentage. The numerator is defined as\nthe total number of SIPEBES issued during the fiscal year. The denominator is the total\nnumber of SIPEBES required to be sent by law during the fiscal year. The FY 1998\nperformance goal was 100 percent, and SSA reported the performance result as 100\npercent.\n\nPEBES 2000, the new system to process PEBES, will be implemented in FY2000.\n\nPerformance measures #9 is obtained from the SIPEBES Process. The data flow is\ndepicted in Figure 6, and the underlying process is shown in greater detail in Appendix\nE.\n\n\n\n\n                                           A-3\n\n\x0c                                          SIPEBES Process\n                           Generalized\n                             Earnings          SIPEBES      File (Report) with\n       NUMIDENT Merge                                                                EMIS\n                        Statement System                       YTD Counts\n                             (GESS)\n\n\n         NUMIDENT\n                        Master Earnings File\n           Data\n                                                                                 Accountability\n                                                                                    Report\n\n\n\n\n                                                 Figure 6\n\nThe SIPEBES process is primarily accomplished using the General Earnings Statement\nSystem (GESS). The process is initiated in the NUMIDENT system. A NUMIDENT\nMerge operation sweeps the NUMIDENT Database and drops clients that are deceased\nor outside of the relevant age brackets. The NUMIDENT Merge also checks the\nPEBES History file and drops clients that have previously received a PEBES. Finally,\nthe NUMIDENT Merge operation writes eligible clients into files for processing by\nGESS.\n\nEach week, GESS determines which segment(s) of clients are eligible for a SIPEBES\nand generates a corresponding list. GESS then drops clients that are on the Master\nBenefit Record (MBR)6. The system subsequently sends a request for addresses to\nthe IRS for the clients remaining on the list 7. The list of eligible clients is further\nreduced, as many addresses will not be available from the IRS.\n\nGESS obtains earnings records from the Master Earnings File (MEF) for the remaining\nSIPEBES clients. After performing numerous validations and edit checks, the system\nchecks each clients insured status and performs the relevant computations for\nestimated benefits. Ultimately, GESS writes the completed PEBES information to an\noutput file, which is sent to a contractor for printing and mailing. At the same time, a file\nof PEBES counts is transferred to OIM via NDM.\n\nOIM enters GESS data and annual NUMIDENT Merge data into MIPEBES, an OIM\nsystem used to obtain management information from PEBES. MIPEBES is then used\nto generate reports with annual SIPEBES targets and year to date counts. OIM places\n\n6\n  The GESS System assumed that any clients listed on the MBR were in pay status and\n\nconsequently dropped them. In reality, there were people dropped such as those with a RIC "X"\n\nrecord (indicating they received payments as a child) that should have stilled received a\n\nSIPEBES. However, this flaw has been corrected for the new PEBES 2000 System.\n\n7\n  The one exception to this is that the addresses for clients living in a US territory are kept at\n\nSSA.\n\n\n\n                                                    A-4\n\n\x0cthis information on the EMIS intranet. OCOMM obtains the relevant data from EMIS\nand computes PM #9. The performance measure is then provided to OFPO for\ninclusion in the accountability report.\n\n\n\n\n                                        A-5\n\n\x0c                                                                               Appendix B\n\n               SCOPE AND METHODOLOGY\n\nThe SSA OIG contracted PricewaterhouseCoopers to evaluate nine of SSA\'s FY 1998\nperformance indicators established to comply with GPRA. This report reflects our\nunderstanding and evaluation of the processing of SIPEBES process, which includes\nperformance measure #9 (Percent of individuals issued SSA-Initiated PEBES as\nrequired by law). Testing was performed from June 9, 1999 through October 1, 1999,\nas follows:\n\n1.\t Gain an understanding and document the sources from which data is collected to\n    report on the specified performance measures;\n2.\t Identify and test critical controls (both EDP and manual) of systems from which the\n    specified performance data is generated;\n3.\t Test the accuracy of the underlying data for each of the specified performance\n    measures;\n4. Recalculate each specific measure to ascertain its mathematical accuracy;\n5.\t Evaluate the impact of any relevant findings from prior and current audits with\n    respect to SSA\'s ability to meet performance measure objectives; and\n6.\t Identify findings relative to the above procedures and make suggestions for\n    improvement.\n\nAs a result of our reliance on prior and current SSA audits, our report contains the\nresults of internal control testing and system control deficiencies.\n\nLimitations\nOur engagement was limited to testing at SSA headquarter. Furthermore, when\nrecalculating the specific performance measures, we used FY 1998 data except when\nSSA was unable to provide all the documentation necessary to fully evaluate the FY\n1998 performance measure amounts reported in the Accountability Report. In those\ncases, FY 1999 data was evaluated.\n\nThese procedures were performed in accordance with the AICPA\'s Statement on\nStandards for Consulting Services, and is consistent with Government Auditing\nStandards (Yellow Book, 1994 version).\n\n\n1.\t    Gain an understanding and document the sources from which data is\n       collected to report on the specified performance measures\n\nWe obtained an understanding of the underlying processes and operating procedures\nsurrounding the generation of performance measures through interviews and meetings\nwith the appropriate SSA personnel and by reviewing the following documentation:\n\n\n\n                                           B-1\n\n\x0ci Policies and procedures manual for procedures surrounding the processing,\n   accumulating, and reporting of the data for the nine performance measures;\ni PwC system walk-through descriptions;\ni SSA-provided system descriptions;\ni Internal or external reports on the nine performance measures (including OIG, GAO,\n   etc.); and,\ni\t Review of any of the nine performance measures performed in conjunction with prior\n   financial audits by PricewaterhouseCoopers.\n\n\n2.\t      Identify and test critical controls (both EDP and manual) of systems from\n         which the specified performance data is generated\n\nBased on the understanding we obtained above in Methodology #1, we identified key\ncontrols for the nine performance measures. For each of the nine performance\nmeasures, the controls surrounding the following were tested (Note: in cases where\nPricewaterhouseCoopers tested key controls as part of prior financial audits, findings\nwere updated, and testing was not reperformed):\n\nPerformance Measure #9: Percent of individuals issued SSA-Initiated PEBES as\nrequired by law\n\n\xe2\x80\xa2     "NUMIDENT Merge"\n\xe2\x80\xa2     IRS address request\n\xe2\x80\xa2     SSA Print Management SIPEBES verification\n\xe2\x80\xa2     Postal Service SIPEBES verification\n\xe2\x80\xa2     OIM receipt of SIPEBES count\n\xe2\x80\xa2     Applicable application controls\n\xe2\x80\xa2     Applicable general computer controls\n\nAll Performance Measures\n\n\xe2\x80\xa2\t Formation of specific systems requirements for different major development projects,\n   routine maintenance, and cyclical changes\n\xe2\x80\xa2 Information protection control structure (system security)\n\xe2\x80\xa2 SSA\'s systemic contingency plan\n\xe2\x80\xa2 Documentation of program changes evidencing user approval and testing\n\xe2\x80\xa2 SSA\'s System Security Handbook\n\n\n3.\t      Test the accuracy of the underlying data for each of the specified\n         performance measures\n\nBased on the understanding we obtained above in Methodology #1, we identified key\nfiles, databases, and reports for the nine performance measures. To ensure data\n\n\n\n                                          B-2\n\n\x0cavailability and to evaluate the data, Computer Assisted Audit Techniques (CAATs)\ntesting was performed for each of the nine performance measures as follows:\n\nPerformance Measure #9: Percent of individuals issued SSA-Initiated PEBES as\nrequired by law\n\n\xe2\x80\xa2\t Extracted all eligible clients to receive a SIPEBES and compared record count to\n   that of the records extracted via the NUMIDENT merge;\n\xe2\x80\xa2 Compared the record count SSA sends to IRS to requested addresses;\n\xe2\x80\xa2\t Identified that Master Earnings File records have a corresponding record on the\n   NUMIDENT; and\n\xe2\x80\xa2 Evaluated the selection of SIPEBES recipients per specific criteria.\n\n\n4.    Recalculate each specific measure to ascertain its mathematical accuracy\n\nBased on the understanding we obtained above in Methodology #1, we requested and\nreviewed documentation to ensure the mathematical accuracy of the nine performance\nmeasures as follows:\n\nPerformance Measure #9: Percent of individuals issued SSA-Initiated PEBES as\nrequired by law\n\n\xe2\x80\xa2\t Recalculated the performance measure value reported in the FY 1998 Accountability\n   Report (Value is from PSIW01 Report); and\n\xe2\x80\xa2\t Traced the PSIW01 value use in the calculation of the performance measure to the\n   GESS Report.\n\n\n5.\t   Provide OIG management with a written report identifying findings relative\n      to the above procedures and with suggestions for improvement\n\nBased upon the evaluation performed, as outlined in the four above methodologies,\nPricewaterhouseCoopers has prepared a written report detailing the internal control\ndeficiencies in SSA\'s performance measurement systems, as well as inaccuracies in\nSSA data used to report on the nine selected performance measures.\nPricewaterhouseCoopers has also provided recommendations to address the system\ndeficiencies and data inaccuracies noted during the performance of the agreed upon\nprocedures.\n\n\n\n\n                                          B-3\n\n\x0c6.\t      Evaluate the impact of any relevant findings from prior and current audits\n         with respect to SSA\'s ability to meet performance measure objectives\n\n\nPricewaterhouseCoopers has noted five relevant findings from prior and current audits\nthat may impact SSA\'s ability to meet performance measure objectives. All findings\nwere noted in our FY 1999 financial audit. The relevant findings impact all performance\nmeasures, and are as follows:\n\n\xe2\x80\xa2     SSA has a number of data integrity deficiencies\n\xe2\x80\xa2     SSA\'s system environment has security deficiencies\n\xe2\x80\xa2     CAS procedural and systems documentation have not been updated\n\xe2\x80\xa2     SSA has systems design and documentation deficiencies\n\xe2\x80\xa2     SSA has a number of deficiencies in their systems contingency plan\n\n\n\n\n                                           B-4\n\n\x0c                                                                            Appendix C\n\n                      AGENCY COMMENTS\n\nJanuary 28, 2000\n\n\nJames G. Huse, Jr.\nInspector General\n\nWilliam A. Halter\nDeputy Commissioner\n\n\nOffice of the Inspector General (OIG) Draft Report, "OIG Performance Measure Review:\nSummary of PricewaterhouseCoopers (PwC) LLP Review of SSA\xe2\x80\x99s Performance Data\xe2\x80\x9d\n\nWe appreciate the opportunity to comment on the draft summary report. We also\nappreciate the OIG/PwC acknowledgement that SSA has developed a number of useful\nperformance measures in the spirit of the Government Performance and Results Act\n(GPRA) and has discussed them in proper detail in the FY 2000 Performance Plan.\n\nFurther, we appreciate the report\xe2\x80\x99s stated intention to provide SSA with suggestions\nwhich may assist us in preparing for the final phases of GPRA. However, we believe\nthe report should more clearly state throughout that current GPRA requirements were\nnot in effect during FY 1998, the year for which the data were examined, and that it\nwould therefore be inappropriate to extrapolate the findings to SSA\xe2\x80\x99s implementation of\nGPRA for FY 1999 or FY 2000.\n\nThe GPRA statute requires that certain elements be included in annual performance\nplans and that other elements be included in annual performance reports. GPRA\nfurther requires that agencies prepare annual performance plans that set out specific\nperformance goals for FYs beginning with 1999. It also requires that agencies report\nannually on performance compared to goals, with the first report due in March 2000, to\ncover FY 1999. As mentioned above, the requirements of GPRA, including a\ndescription of the means employed to verify and validate the measured values used to\nreport on program performance, were not in effect for FY 1998. SSA\xe2\x80\x99s efforts in this\narea were preliminary, and have significantly evolved with our FY 1999 and FY 2000\nGPRA documents.\n\nFor FY 1998, and as we were moving toward preparation of our first GPRA Strategic\nPlan and our Annual Performance Plan for FY 1999, SSA published a Business Plan.\nWe stated in our Business Plan that for FY 1998 we were including performance\n\n\n\n                                          C-1\n\n\x0cmeasures for which we had measurement systems in place and current performance\ninformation. We also included related output measures for several priority workloads.\n\nAlthough not a GPRA requirement, we also elected to report in our FY 1998\nAccountability Report on those FY 1998 goals which we decided to include in our FY\n1999 Annual Performance Plan. We did not however, meet all the requirements for an\nAnnual Performance Report in that document nor was it our intention to do so. We are\nconcerned that implicit in many of the report\xe2\x80\x99s recommendations is the erroneous\nconclusion that SSA should have complied, in 1998, with statutory requirements that\nwere not yet in effect. We believe that all GPRA requirements are met, as required by\nstatute, by our recently released FY 1999 GPRA Performance Report.\n\nFinally, as you know, 30 of the 40 recommendations contained in the subject audit\nreport are either exactly duplicative or very nearly duplicative of recommendations\ncontained in past financial statement audit reports. Since we are already taking\ncorrective actions for those that we accepted as valid, we will not be addressing the\nduplicate recommendations in this response. We will, of course, continue our efforts to\nimplement corrective actions, as appropriate, and to provide status reports until\ncompleted.\n\nAs you indicate, SSA is positioned to be a leading performance based budgeting\norganization and to meet the future requirements of GPRA. The Office of Management\nand Budget has designated SSA as a pilot project for performance budgeting. The\ncontinuing disability reviews program is the specific activity covered by this designation\nand the time period covered will be FY 2001. We anticipate that our participation will\nenrich the learning from the government-wide pilot with regard to the feasibility and\nimpacts of performance based budgeting.\n\nAttached are specific comments to the draft report. Staff questions may be referred to\nOdessa J. Woods on extension 50378.\n\n\n\nImprovement Area 1--SSA lacks sufficient performance measure process\ndocumentation and did not retain documents to support the FY 1998 amount.\n\nRecommendation 1\n\n1.     We recommend that SSA place ownership for the performance measure process\nand reporting within an organizational unit. Data ownership would still remain with the\nuser organizations. However, an organizational unit should be accountable for the\noverall performance measure processes and results. Their charter should include the\nfollowing responsibilities:\n\n\n\n\n                                           C-2\n\n\x0c\xe2\x80\xa2\t Identify and document the processes surrounding the generation and accumulation\n   of performance measure values. This would establish a clear method for verifying\n   and validating the performance measures.\n\n\xe2\x80\xa2\t Establish policies and procedures surrounding the retention of performance measure\n   documentation. The documentation retained should allow for the timely verification\n   of the performance measure values, and should be maintained for at least one year.\n\n\xe2\x80\xa2\t As new systems are developed, evaluate their potential impact on the accumulation\n   of performance measure data. Systems with potential impact should be designed to\n   include the means of producing a verifiable audit trail to validate the performance\n   measure results as they are defined in the Accountability Report.\n\nResponse to Recommendation 1\n\nWe agree in concept with this recommendation. SSA\xe2\x80\x99s Office of Strategic Management\n(OSM) is responsible for coordinating the Agency\xe2\x80\x99s GPRA activities. In addition, we will\ncontinue to work to improve the development and retention of the kind of documentation\nneeded for external audits of our performance measures.\n\n\nImprovement Area 2--SSA has a number of data integrity deficiencies.\n\nRecommendations 2-10\n\nResponse to Recommendations 2 - 10\n\nThese recommendations are either a direct reprint of the recommendations contained in\nPricewaterhouseCoopers\' (PwC) FY 1998 Management Letter, Part 2 or a reiteration\ncontaining only minor editorial changes.\n\nRecommendation 7\n\n\xe2\x80\xa2\t SSA should develop policies and procedures for the resolution of unmatched items\n   in DACUS and establish a work group with primary responsibility for resolution. One\n   of the duties of this group should be to analyze patterns in exceptions and facilitate\n   the implementation of changes to the automated matching algorithm to make it more\n   effective\n\nResponse to Recommendation 7\n\nWe agree that a workgroup should be established to determine DACUS exception\npatterns and make recommendations on changes in matching routines, as appropriate.\nThe workgroup will be led by the Office of Systems Requirements with involvement from\nothers impacted components. We have already determined that gender should be\ndeleted as a matching item and plan to implement this change before the Year 2000\n\n\n                                           C-3\n\n\x0cmoratorium. DACUS Release 5 will be the vehicle for implementing changes\nrecommended by the workgroup.\n\nRecommendation 8\n\n\xe2\x80\xa2\t SSA should implement: 1) initiatives to reduce the amount of time required by\n   outside sources for submitting death notifications, such as the electronic death\n   certificate project currently being tested; and, 2) a method to prevent the submission\n   or receipt of duplicate information, whether submitted from the same or different\n   sources (DACUS, NUMIDENT, MBR, SSR)\n\nResponse to Recommendation 8\n\nWe partially agree with this recommendation. We agree with the first bulleted item. We\nhave provided for Systems support for an Electronic Death Certificate process in the\nappropriate 5-Year plans.\n\nWe request the auditors reconsider its recommendation contained in the second\nbulleted item. The recommendation to prevent receipt/issuance of duplicate death data\nconcerning the same individual from multiple sources is technically impossible. To\nprevent reporting duplication, it would require that all agencies have direct, interactive\naccess to the SSA databases, which is not advisable. Even that would not prevent\nindividual sources such as family members and funeral directors also from reporting on\nsomeone previously reported by an agency. (There is no way to \xe2\x80\x9creceive\xe2\x80\x9d only certain\nrecords on a given file.)\n\nSSA only pays State Bureaus of Vital Statistics for death data and then only if it is the\nfirst report of death. In future DACUS analysis efforts, we will examine the MI for State\ndata to ensure that it is properly identifying only those records for which payment is due.\n\nRecommendation 9\n\n\xe2\x80\xa2\t With the completion of the Year 2000 project in FY 2000, SSA should begin\n   implementation of DACUS Release 2 (a high priority of SSA\xe2\x80\x99s five-year IRM plan), to\n   provide functionality to automatically delete NUMIDENT death postings when a\n   person is \xe2\x80\x9cresurrected\xe2\x80\x9d on the MBR and SSR (NUMIDENT, MBR, SSR)\n\nResponse to Recommendation 9\n\nWe agree. We expect to complete Year 2000 DACUS activities in early 1999. We will\nthen develop the schedule for DACUS Release 2 and include the dates in the 3/99\nupdate of the Enumeration/Client 5-Year plan.\n\nWe also would like to clarify item C as the Findings section is inaccurate. Date of death\nprocessing was not a part of Release 2 of ICDB in 8/97 for title II or XVI. However, we\ndid do a special clean-up of MBR and SSR death data to the Numident in 1998. This is\n\n\n                                           C-4\n\n\x0cwhat accounts for the vast drop in discrepant cases. The remaining cases failed the\nautomated matching routines, generally because of significant differences in names.\nManual investigation would have to be undertaken to determine if the individuals are\nindeed the same person. We also note that SSA policy requires investigation of date\ndiscrepancies only when they would be significant to a finding of overpayment; i.e.,\nwhen a person has already been terminated for another reason such as disability\ncessation, a later death date would have no impact.\n\nRecommendation 10\n\n\xe2\x80\xa2\t SSA should firm up plans to implement the ICDB R2 functionality for the SSI system\n   (SSR) to provide updated (substantiated) date of birth information to the NUMIDENT\n   (NUMIDENT, MBR, SSR)\n\nResponse to Recommendation 10\n\nWe request the auditors reconsider its recommendation as it is inaccurate. Date of birth\nprocessing was included in ICDB Release 2 in 8/97 for both Title II and XVI initial claims\ncases; there is no outstanding need to develop this capability for SSI cases. What does\nremain is the clean-up of the pre-existing data as described in III. 6. General above.\nThat \xe2\x80\x9cmass saturation\xe2\x80\x9d was NOT done in 6/98 as stated by PwC. What was executed in\n1998 was the clean-up of existing dates of death.\n\n\nImprovement Area 3--SSA\'s system environment has security deficiencies.\n\nRecommendations 12-22\n\nResponse to Recommendations 12-22\n\nThese recommendations are direct reprints of findings and recommendations contained\nin PwC\xe2\x80\x99s FY 1999 report on management\'s assertion about the effectiveness of internal\ncontrol.\n\nRecommendation 12\n\nAs previously reported in the FY 1999 Accountability Report, we recommend that SSA\naccelerate and build on its progress to enhance information protection by further\nstrengthening its entity-wide security as it relates to implementation of physical and\ntechnical computer security mechanisms and controls throughout the organization. In\ngeneral, we recommend that SSA:\n\n\xe2\x80\xa2   Reevaluate its overall organization-wide security architecture;\n\n\n\n\n                                           C-5\n\n\x0cResponse to Recommendation 12\n\nSSA agrees with this recommendation and is initiating a full reassessment of its\norganization-wide security architecture to ensure that vulnerabilities, especially those\nintroduced by new technology, are being addressed. This strategic reassessment will\nallow SSA to identify any additional initiatives needed to upgrade its programs.\nEnhancements to the existing architecture resulting from this activity will be\nimplemented and communicated to all SSA components.\n\nRecommendation 13\n\n\xe2\x80\xa2\t Reassess the security roles and responsibilities throughout the organization\xe2\x80\x99s central\n   and regional office components;\n\nResponse to Recommendation 13\n\nSSA agrees with this recommendation and is currently reassessing security roles and\nresponsibilities. Recently, SSA elevated the organizational structure of the entity for\ninformation systems security within the Office of Finance, Assessment and\nManagement. Also, within the Office of Operations, a higher level security oversight\ngroup was formed and there was a reassessment of regional security officer roles to\nemphasize the increased importance of their roles.\n\nRecommendation 14\n\n\xe2\x80\xa2\t Assure that the appropriate level of trained resources are in place to develop,\n   implement and monitor the SSA security program;\n\nResponse to Recommendation 14\n\nSSA agrees with this recommendation and has enhanced security training by directing\nadditional funds toward new security training courses for both Headquarters and\nregional security staffs. In addition, the Office of Systems is taking steps to improve its\nsecurity program by obtaining additional expertise via contractor services.\n\nThe additional training and the organizational refocusing discussed above will ensure\nthe appropriate level of trained resources are in place to develop, implement and\nmonitor the SSA security program.\n\nRecommendation 15\n\n\xe2\x80\xa2\t Enhance and institutionalize an entity-wide security program that facilitates\n   strengthening of LAN and distributed systems\xe2\x80\x99 security;\n\n\n\n\n                                            C-6\n\n\x0cResponse to Recommendation 15\n\nSSA agrees with the recommendation and has been working diligently on improvements\nin this area. SSA will continue to enhance and institutionalize the entity-wide security\nprogram through a series of enhancements to the mainframe, LAN and distributive\nsystems. The enhancements will include: improved monitoring of access controls,\nparticularly in field activities; full implementation of the Enterprise Security Interface;\nadministrative monitoring and penetration testing.\n\nRecommendation 16\n\n\xe2\x80\xa2   Review and certify system access for all users;\n\nResponse to Recommendation 16\n\nSSA agrees with this recommendation and continues to make progress in this area.\nThe Office of Systems continues to work aggressively to adjust access rights under its\nStandardized System Profile Project.\n\nRecommendation 17\n\n\xe2\x80\xa2\t Enhance procedures for removing system access when employees are transferred\n   or leave the agency;\n\nResponse to Recommendation 17\n\nSSA agrees with this recommendation and will continue to improve our procedures and\nthe comprehensive processes already in place for removing system access when\nemployees are transferred or leave the Agency.\n\nRecommendation 18\n\n\xe2\x80\xa2   Decrease vulnerabilities in the mainframe operating system configuration;\n\nResponse to Recommendation 18\n\nSSA agrees with this recommendation and will continue to evaluate our mainframe\noperating system configuration and initiate changes to protect against threats, both\ndeliberate and nonintentional.\n\nRecommendation 19\n\n\xe2\x80\xa2   Implement the mainframe monitoring process;\n\n\n\n\n                                           C-7\n\n\x0cResponse to Recommendation 19\n\nSSA agrees with this recommendation. As acknowledged earlier in the report, SSA has\nestablished the SMART Report, which is distributed to the security officers responsible\nfor the groups using the systems. While most users are in non-Headquarters offices, all\nusers, including those in central office, are tracked and monitored. Procedures have\nbeen distributed which focus the reviews on specific types of transaction scenarios,\nthereby making the SMART system a more useful security management and\nenforcement tool. We agree that additional enhancements for increased use of the\nreport can be made both in the field and in central office. We will continue to improve\nthe use of the report to monitor inappropriate access to SSA\'s systems.\n\nRecommendation 20\n\n\xe2\x80\xa2   Finalize accreditation and certification of systems;\n\nResponse to Recommendation 20\n\nSSA agrees with this recommendation and either certified or recertified all of SSA\'s\nsensitive systems in July 1999.\n\nRecommendation 21\n\n\xe2\x80\xa2\t Develop and implement an ongoing entity-wide information security compliance\n   program; and\n\nResponse to Recommendation 21\n\nSSA agrees with this recommendation and has a number of existing and planned\nprograms to monitor compliance with security policies and procedures. In addition to\nautomated controls, SSA also monitors compliance through programmatic and systems\naudits, financial systems reviews, and other internal studies and reviews.\n\nSSA has make progress in developing the Comprehensive Integrity Review Process\n(CIRP) system that will consolidate integrity review functions into a single automated\nfacility where transactions will be screened against specific criteria. The criteria include\ncross-application criteria and can be changed to concentrate on emerging trends. SSA\nremains committed to ongoing enhancement and implementation of the CIRP system.\n\nRecommendation 22\n\n\xe2\x80\xa2     Strengthen physical access controls at non-headquarters sites.\n\n\n\n\n                                            C-8\n\n\x0cResponse to Recommendation 22\n\nSSA agrees with this recommendation and is committed to strengthening security at\nnon-Headquarters sties. We are in the process of enhancing the badging procedures\nand policy enforcement in the regions and other major non-Headquarters facilities. In\naddition, the Agency, through its security tactical plan, has been working to increase\nphysical security at the National Computer Center (NCC) and SSA facilities around the\ncountry.\n\n\nImprovement Area 5--GPRA documents prepared for external evaluation of SSA\nperformance do not clearly indicate the sources of the performance measures.\n\nRecommendation 26\n\nWe recommend that SSA develop clear and concise descriptions of each performance\nmeasure\'s source.\n\nResponse to Recommendation 26\n\nWe agree that reporting documents prepared for public consumption should contain, in\nlay terms, clear descriptions of the sources of our performance measures. We will\nconsult with your office to determine where you believe this is not the case. In addition,\nwe would note that, our documents comply with the requirements of GPRA with regard\nto appropriate level of documentation of the sources for external audiences. The A-11\nguidance specifically recommends the following information on data sources:\n\n\xe2\x80\xa2\t The current existence of relevant baseline data, including the time-span covered by\n   trend data;\n\xe2\x80\xa2 The expected use of existing agency systems in the collection and reporting of data;\n\xe2\x80\xa2 The source of the measured data;\n\xe2\x80\xa2\t Any expected reliance on an external source(s) for data, and identification of the\n   source(s); and\n\xe2\x80\xa2\t Any changes or improvements being made to existing data collection and reporting\n   systems or processes to modify, improve, or expand their capability.\n\nSSA\xe2\x80\x99s FY 2000 Annual Performance Plan meets all these requirements.\n\nWhere additional, technical detail describing underlying processes and programmatic\nsystems that produce the reported metrics are needed by OIG and GAO auditors, we\nwill continue to make this detail available.\n\n\nImprovement Area 6--SSA did not calculate the performance measure as it is\ndefined.\n\n\n\n                                           C-9\n\n\x0cPerformance Measure #9\xe2\x80\x94Percentage of individuals issued SSA-Initiated PEBES as\nrequired by law\n\nRecommendation 29\n\nWe recommend that SSA include the \'bad history\' records in the SIPEBES count within\nOIM report.\n\nResponse to Recommendation 29\n\nWe agree. This correction was made with the implementation of a new system that now\nincludes these records in the count of self-initiated Social Security Statements.\n\n\nImprovement Area 9--SSA has systems design and documentation deficiencies.\n\nResponse to Recommendations 32 - 34\n\nThese recommendations are equivalent to recommendations contained in PwC\xe2\x80\x99s\nFY 1998 Management Letter, Part 2.\n\nRecommendation 32\n\nWe recommend the following:\n\n\xe2\x80\xa2\t SSA should complete implementation of it\'s Validation Transaction Tracking System\n   (VTTS) and continue with its plan to automate the process for submitting System\n   Release Certification (SRC) forms\n\nResponse to Recommendation 32\n\n\nWe agree and believe the first portion of this recommendation is complete. Systems\n\nbegan using VTTS in 1996 for selected validations. In October 1998, its use became\n\nmandatory for all validations. VTTS has been converted to SQL and is available for all\n\nsystems. Evaluation will continue to make it more useful and flexible.\n\n\nTarget dates for automating the SRC forms submission process are now in place.\n\nPrototype automated change control procedures are currently being tested and\n\nevaluated which will satisfy the second portion of this recommendation. We expect to\n\ncomplete evaluation of the prototype design by Spring 1999. (The prototype evaluation\n\nwas staged to include various life cycle development projects, e.g., new software\n\ndevelopment (online and batch), maintenance, cyclical projects.) We are currently\n\nsetting up the evaluation of a maintenance type project.\n\nUpon completion of the prototype evaluation, design changes resulting from the\n\nevaluation will be incorporated into the automated procedures, software changes to this\n\n\n\n\n\n                                         C-10\n\n\x0cprocess will be made, and we will then roll out the process on a project by project basis.\nWe expect to begin roll out by late Summer 1999.\n\nRecommendation 33\n\n\xe2\x80\xa2\t SSA should complete implementation of Platinum\'s Process Engineering Tool (PET)\n   and institutionalize Carnegie Mellon\'s Software Engineering Institute\'s Capability\n   Maturity Model (CMM) methodology\n\nResponse to Recommendation 33\n\nWe agree but believe it is too early in the implementation process to provide a date for\ncomplete implementation.\n\nPresently, SET standards require documenting software changes. Nevertheless, we\nare developing a more robust mechanism to support SSA\xe2\x80\x99s Information Technology (IT)\ninfrastructure.\n\nWe are committed to software process improvement using Carnegie Mellon\xe2\x80\x99s Capability\nMaturity Model (CMM). We have also procured the PLATINUM Technology, Inc.\xe2\x80\x99s\nProcess Engineering Tool (PET). When fully implemented, PET will replace and expand\nupon the foundation built by SET.\n\nWith PET integrated within our CMM approach, SSA is building the foundation for a\ncomprehensive software process improvement infrastructure that goes well beyond the\nobjectives of SET. This infrastructure will create an environment that encourages,\nsupports and provides assurance that we are continuously making improvements in the\nquality of software, productivity of the software development staff, and timeliness of\nsoftware delivery. This will be done by improving project management skills and\napproaches; defining IT Processes based on SSA and industry best practices;\nsupporting the use of metrics; and continuously improving IT processes.\n\nThree CMM pilot projects are well underway and using SSA developed documented\nprocedures required for compliance with CMM Level 2 Key Process Areas (KPAs).\nKPAs indicate where an organization should focus to improve its software process and\nidentify the issues that must be addressed to achieve the next maturity level. The KPAs\nat Level 2 focus on the software project\xe2\x80\x99s concerns related to establishing basic project\nmanagement controls. These KPAs are:\n\n\xe2\x80\xa2   Requirements management\n\xe2\x80\xa2   Software project planning\n\xe2\x80\xa2   Software project tracking and oversight\n\xe2\x80\xa2   Software subcontract management\n\xe2\x80\xa2   Software quality assurance\n\xe2\x80\xa2   Software configuration management\n\n\n\n                                           C-11\n\n\x0cProcesses for all of these KPAs have been developed for iterative lifecycle projects and\nare available to the pilot project teams over the Web and in the PET tool. DCS is in the\nprocess of identifying additional similar \xe2\x80\x9crollout\xe2\x80\x9d projects to begin in 1999, which will use\nthese processes to achieve CMM Level 2 compliance. In addition, processes will be\ndeveloped and pilots initiated in 1999 for the following types of project:\n\n\xe2\x80\xa2   Programmatic CICS and Batch\n\xe2\x80\xa2   Administrative Development\n\xe2\x80\xa2   Maintenance without established baselines\n\xe2\x80\xa2   Legislative and Notices\n\nThese processes will be developed using the PET tool and its rich repository of best\npractices and process techniques as the delivery mechanism for CMM. It will be\navailable to the projects over the WEB.\n\nRecommendation 34\n\n\xe2\x80\xa2\t SSA should update its System Security Handbook (Chapter 10 on Systems Access\n   Security) to address all of the acceptable forms for granting access to SSA\xe2\x80\x99s\n   computer systems and data\n\nResponse to Recommendation 34\n\nWe agree. Chapter 10 of the its System Security Handbook lists the SSA-120 as the\nonly security form acceptable. There may be other non-security forms being used for\nnon-security purposes, but they are not appropriately included in the SSH.\n\n\nImprovement Area 10--SSA has a number of deficiencies in their systems\ncontingency plan.\n\nResponse to Recommendations 35 \xe2\x80\x93 40\n\nThese recommendations are direct reprints of recommendations contained in PwC\xe2\x80\x99s\nFY 1999 report on management\'s assertion about the effectiveness of internal control.\n\nRecommendation 35\n\nAs previously stated in the FY 1999 Accountability Report, we recommend that SSA:\n\n\xe2\x80\xa2\t Finalize the list of critical SSA workloads and fully test the plans for recovering each\n   workload;\n\nResponse to Recommendation 35\n\nSSA agrees with this recommendation. SSA recently reevaluated and confirmed its\n\n\n                                            C-12\n\n\x0ccritical workloads. Testing that will determine recoverability of all identified critical\nworkloads is scheduled for July 2000.\n\nRecommendation 36\n\n\xe2\x80\xa2   Establish RTOs for each critical workload;\n\nResponse to Recommendation 36\n\nSSA agrees with this recommendation. It is SSA\'s goal to provide users with a fully\nintegrated set of software to process each critical workload as rapidly as possible. As\npart of our July 2000 test, we plan to assess and determine realistic timeframes and\nsequences for restoring critical workloads. These objectives will be incorporated into\nthe next iteration of the Disaster Recovery Plan (DRP). Subsequent DRP iterations will\ninclude timeframes and other supporting information.\n\nRecommendation 37\n\n\xe2\x80\xa2\t Establish recovery priorities for all systems and applications (mainframe and\n   distributed);\n\nResponse to Recommendation 37\n\nSSA agrees with this recommendation and continues to work to establish recovery\npriorities for all mainframe and distributed systems and applications. DRP identifies the\nrecovery sequence of all mainframe workloads. We plan to determine realistic\ntimeframes for reestablishing access to these workloads. In addition, SSA will work to\nfurther define the recovery of the distributed workloads.\n\nRecommendation 38\n\n\xe2\x80\xa2   Update contingency plans for headquarters;\n\nResponse to Recommendation 38\n\nSSA agrees with this recommendation. In compliance with Presidential Decision\nDirective Number 67, Enduring Constitutional Government and Continuity of Operations\nPlan, SSA has convened an agencywide workgroup to develop an infrastructure for\ncontingency planning. This includes defining organizational roles and responsibilities,\nessential operations and staffing, training, maintenance, etc. The actions\nrecommended by the workgroup and approved by SSA management will be\nincorporated in to the Agency Contingency plan.\n\n\n\n\n                                             C-13\n\n\x0cRecommendation 39\n\n\xe2\x80\xa2\t Finalize and test SSA\xe2\x80\x99s ultimate strategy for implementing and maintaining alternate\n   processing facilities; and\n\n\nResponse to Recommendation 39\n\nSSA agrees with this recommendation. Our current IAA with GSA provides SSA with a\nlong-term, alternate facility supplied through a GSA contract. These provisions will be\nimplemented and provide SSA access to the site for 1 year should a catastrophic event\nleave the NCC uninhabitable for longer than 6 weeks. SSA annually tests the use of\nalternate facilities when conducting its disaster recovery test of NCC operations. The\nextent of these tests is limited by test time constraints, the smaller configuration used for\ntesting, availability of personnel and other such factors.\n\nOver the years, SSA has gained significant experience in installing and running its\nsystems on a wide variety of hardware during disaster recovery tests and benchmarking\nnew computing platforms. We believe this experience has resulted in the development\nof reliable procedures that allow SSA to bring up its systems at any site. This, of\ncourse, does not remove SSA\'s burden of verifying that secondary sites are stocked, as\nindicated, by the vendor. We will evaluate the benefits of establishing orientation visits\nat the secondary sites.\n\nRecommendation 40\n\n   \xe2\x80\xa2   Finalize and test contingency plans for non-headquarters sites.\n\nResponse to Recommendation 40\n\nSSA agrees with this recommendation and is in the process of reviewing and updating\nall of the Security Action Plans (SAP) that are in place in its non-Headquarters facilities.\nThe Area Directors will review and test the SAPs as they visit each site during the\ncourse of the year. The Agency also conducts field site visits to assess the security that\nis in place in our offices. In the course of these visits, staff will analyze the plans for\neffectiveness and verity that employees are familiar with their content and application.\n\n\nWe also offer the following comments:\n\nImprovement Area 2\n\nBullet 7, \xe2\x80\x9cSSA current practice of obtaining death data does not ensure that this data is\nentered into DACUS accurately, timely and only once (affects the NUMIDENT, MBR,\nand SSR). While this data may not have a direct effect on the performance measures\n\n\n\n\n                                            C-14\n\n\x0c(#1, #2, #3, #4, #5, and #9) a noted lack of data verification in these databases\nindicates the possibility that other data lacks integrity.\xe2\x80\x9d\n\nAgency Comment\n\nThis item requires clarification. The report is unclear as to whether the development of\nthe third party reports or the input of SSA-721\xe2\x80\x99s are factors in the reasons for the OIG\nconclusion.\n\nBullet 8, \xe2\x80\x9cA comparison of the MBR, SSR and NUMIDENT identified a large number of\ncases where either the individual was alive and in current pay status on the MBR/SSR\nbut listed as dead on the NUMIDENT, or corresponding records of a given individual\nhad significant differences in dates of death. While this data may not have a direct\neffect on the performance measures (#1, #2, #3, #4, #5, and #9), a noted lack of data\nverification in these databases indicate the possibility that other data lacks integrity.\xe2\x80\x9d\n\nAgency Comment\n\nWe are aware of the problem when the person is listed as deceased on the payment\nrecords but alive on the NUMIDENT. These are usually reinstatement cases. Currently\nreinstatements require two separate actions and in many cases the payment record is\ncorrected and the NUMIDENT remains uncorrected. Release 2 of DACUS, scheduled\nfor implementation in August 2000, will enable the reinstatement to communicate with\nthe DACUS system. This will result in a corrected NUMIDENT.\n\nOther Matters\n\n1. Documents prepared for external evaluation of SSA performance could be improved\nto clearly explain the intended uses of the performance measures to comply with future\nGPRA requirements.\n\nAgency Comment\n\nIn response to the cited General Accounting Office recommendations, SSA is\nexpanding the explanation of the goals and measures and how they contribute to\nevaluating overall SSA performance in the FY 2001 Performance Plan due to Congress\nin February 2000.\n\n2. The nine performance measures are not explicit performance budgeting metrics, but\nare nonetheless appropriate internal performance indicators and are useful to the SSA-\nwide strategic planning process.\n\nAgency Comment\n\nThe statements in this section should be modified to recognize that stakeholders not\nonly include Congressional appropriators, but also customers, policy makers and the\n\n\n\n                                           C-15\n\n\x0cgeneral public who are looking at the overall effectiveness of the Agency in fulfilling its\nmission. GPRA prescribes that outcome measures will be used for this purpose.\n\n3. SSA is positioned to be a leading performance-based budgeting organization and to\nmeet the future requirements of GPRA.\n\nAgency Comment\n\nWe appreciate the confidence expressed by the OIG in SSA readiness for performance\nbudgeting. The Office of Management and Budget (OMB) has designated SSA as one\nof the government-wide performance budgeting pilot projects provided for in GPRA.\nWithin SSA, the Continuing Disability Reviews program is the specific activity covered\nby this designation. OMB considers the performance budgeting pilot projects to be an\nopportunity to examine the feasibility and potential application of several approaches to\nperformance budgeting. In this context, OMB intends to use performance and resource\ndata provided by the pilots during development of the FY 2001 budget and to report to\nCongress on the results of the pilots no later than March 31, 2001, as required by\nGPRA.\n\nAppendix A, Background, GPRA\n\nThis section should state clearly that the requirements of GPRA for Agency\nperformance plans and Agency performance reports were not in effect until FY 1999. It\nshould also acknowledge that although the report covers FY 1998 performance\nmeasures, the GPRA requirements, including descriptions of the means employed to\nverify and validate the measured values used to report on program performance, were\nnot in effect at that time.\n\nAppendix A, SSA\xe2\x80\x99s Performance Measures\n\nThe last paragraph should read \xe2\x80\x9cFY 1997-2002 strategic plan, \xe2\x80\x9cKeeping the Promise.\xe2\x80\x9d\n\n\n\n\n                                            C-16\n\n\x0c                                                                                                               Appendix D\n\n                        Performance Measure Summary Sheets\n\nName of Measure                                     Measure Type        Strategic Goal/Objective\n9) Percentage of individuals issued SSA-Initiated   Percentage          Goal: To strengthen public understanding of the\nPEBES as required by law                                                social security programs\n                                                                        Objective: By 2005, 9 out of 10 Americans will be\n                                                                        knowledgeable about the Social Security programs in\n                                                                        five important areas:\n                                                                        \xe2\x80\xa2 Basic program facts\n                                                                        \xe2\x80\xa2 Financial value of programs to individuals\n                                                                        \xe2\x80\xa2 Economic and social impact of the programs\n                                                                        \xe2\x80\xa2 How the programs are financed today\n                                                                        \xe2\x80\xa2 Financing issues and options\n\n\n\n\n                                                                 D-1\n\n\x0cDefinition                                                                                                Purpose\nBy law, under Section 1143 of the Social Security Act, SSA is required to issue annually \xe2\x80\x9cSSA\xc2\xad            The SIPEBES are intended to\ninitiated\xe2\x80\x9d PEBES (SIPEBES) to approximately 15 million eligible individuals age 60 and over during        increase the public\xe2\x80\x99s\nFYs 1996 through 1999 for whom a current mailing address can be determined. SSA accelerated               understanding and knowledge\nits\xe2\x80\x99 mailings and as of March 1999 had exceeded the legislative mandate. For FY 2000, SSA is              of the Social Security program\nrequired to sent SIPEBES annually to all eligible individuals age 25 and over. Eligible individuals       by informing wage earners as\ninclude those individuals who have a valid SSN number, are not in benefit status, have earnings on        to their estimated future\ntheir record and who live in the US or a US Territory. For Puerto Rico and the Virgin Islands the US      benefits. The SIPEBES also\nhas a special arrangement with the tax authorities of these countries to transfer electronically a list   serve as an indicator as to the\nwith the names and addresses of the tax paying residents of the respective countries. The                 accuracy of the posting of\nmeasure excludes those who are deceased or below the stipulated age to receive a SIPEBES, RIC             earnings to the record of a\n\xe2\x80\x98X\xe2\x80\x99 holders, individuals who have pending claims, recipients for whom an address cannot be                wage earner. They also serve\nlocated, individuals who have no earnings posted on the record and individuals who have received          as a useful financial planning\na PEBES in the past, either on-request or SSA-initiated.                                                  tool for wage earners. This\n                                                                                                          performance measure is\n                                                                                                          intended to gage the extent to\n                                                                                                          which SSA is meeting the\n                                                                                                          requirements mandated under\n                                                                                                          Section 1143 of the Social\n                                                                                                          Security Act.\n\nHow Computed                                           Data Source                 Data Availability      Data Quality\nThe percentage = x/y where x=Number of                 GESS                        Some FY 1998           Acceptable\nSIPEBES issued and y=Number required to be                                         Available, FY 1999\nsent by law during the fiscal year.                                                Available\n\nExplanatory Information                                                                                   Report Frequency\nPEBES 2000 will be soon be implemented and in the future will impact our testing and the results of Weekly\nour testing.\n\nTarget Goal                                            Division                    Designated Staff Members\n100%                                                   OCOMM                       Rusty Toler\n\n\n\n\n                                                                   D-2\n\n\x0cEDP AUDITOR Testing and Results\nEDP Auditor testing was performed to ensure controls were in existence and operating effectively within the following processes:\n\xe2\x80\xa2 "NUMIDENT Merge"\n\xe2\x80\xa2 IRS address request\n\xe2\x80\xa2 SSA Print Management SIPEBES verification\n\xe2\x80\xa2 Postal Service SIPEBES verification\n\xe2\x80\xa2 OIM receipt of SIPEBES count\n\xe2\x80\xa2 Applicable application controls\n \xe2\x80\xa2 Applicable general computer controls\n\xe2\x80\xa2 Formation of specific systems requirements for different major development projects, routine maintenance, and cyclical changes\n\xe2\x80\xa2 Information protection control structure (system security)\n\xe2\x80\xa2 SSA\'s systemic contingency plan\n\xe2\x80\xa2 Full documentation of program changes evidencing user approval and testing\n \xe2\x80\xa2 SSA\'s System Security Handbook\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies", " SSA\'s system environment has security\ndeficiencies," "SSA has systems design and documentation deficiencies," and "SSA has a number of deficiencies in their systems\ncontingency plan."\n\nCAATs Testing and Results\n\xe2\x80\xa2   Extracted all eligible clients to receive a SIPEBES and compared record count to that of the records extracted via the NUMIDENT\n    merge;\n\xe2\x80\xa2   Compared the record count SSA sends to IRS to requested addresses;\n\xe2\x80\xa2   Identified that Master Earnings File records have a corresponding record on the NUMIDENT; and\n\xe2\x80\xa2   Evaluated the selection of SIPEBES recipients per specific criteria.\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies."\n\n\n\n\n                                                                D-3\n\n\x0cProcess Improvement Testing and Results\n\n\xe2\x80\xa2   Recalculated the performance measure value reported in the FY 1998 Accountability Report (Value is from PSIW01 Report); and\n\xe2\x80\xa2   Traced the PSIW01 valued use in the calculation of the performance measure to the GESS Report.\n\nSee results of testing entitled "SSA lacks sufficient performance measure process documentation, and does not retain documents to\nsupport the FY 1998 amounts," "GPRA documents prepared for external evaluation of SSA performance do not clearly indicate the\nsources of the performance measures," "SSA did not calculate three of the performance measures as they are stated in their\nrespective definitions."\n\n\n\n\n                                                               D-4\n\n\x0c                                              Appendix E\n\nPerformance Measure Process Maps\n\n\n\n\n        This page left intentionally blank.\n\x0c                                                                           SIPEBES Process\n                            PM #9: Percent of Individuals Issued SSA-Initiated PEBES as Required by Law\n\n                                              Also called "NUMIDENT Sweep", the NUMIDENT Update system                                                                  The units within\n                                                                                                                      The files are divided by segment and are\n                                              was designed to perform this operation quarterly, but it has been                                                         GESS are labeled\n                                                                                                                      titled SIPEBNUM.S01-S20.RYYMMDD.\n                                              done annually since FY 95.                                                                                                as GExxxxx.\n\n\n                               "NUMIDENT Merge"                                                            "NUMIDENT Merge"\n                                                                "NUMIDENT Merge" operation                                                              GETERMAT (weekly)\n                                operation sweeps                                                          operation writes eligible\n                                                               checks PEBES History File and                                                         reads audit file to determine\n      Begin                  NUMIDENT DB & drops                                                            clients into files for\n                                                               drops clients that have previously                                                        which segment(s) of\n                           clients that are deceased or                                                   processing by GESS &\n                                                                     received a PEBES                                                                 eligible clients to process\n                           outside of the age brackets                                                    provides counts to OIM\n\n\n\n\n                              Pending claims are tracked in a file titled "PENDPEBS". The subsequently                      The audit file allows OSDD to control the\n                              merged file is titled "SIWEEKLY.SELECT.RYYMMDD"                                             number of segments processed each week\n\n\n                 GETERMAT                                                GETERMAT checks WMS\n                                      GETERMAT reads MBR &                                                    GETERMAT                                             GETERMAT sends\n              merges SIPEBES                                              & SSACS to determine if                                       GETERMAT\n                                      screens out clients that are                                          checks to see if                                     address requests to IRS\n 1A              records with                                             client has pending claim;                                   provides process\n                                       receiving benefits or are                                           client lives in a US                                 via NDM & creates control\n              previously pending                                         such cases are transferred                                    counts to OIM\n                                         RIC X record holders                                              Territory (PR or VI)                                            file\n               SIPEBES claims                                              to the pending claim file\n\n\n                                               Pending claim\n                                                                                                                                  NDM = Network Data Mover\n                                                     Client lives in a US Territory\n\n\n   GETERMAT\nobtains addresses                                                                GEIRSMAT                                              GEIRSMAT rechecks\nfrom SSA Territory                                   IRS obtains                                         GEIRSMAT writes\n                                                                              (weekly) matches                                        PEBES history file and              GEIRSMAT\n   Address File                                  available addresses                                    unmatched records to\n                                                                             records from IRS &                                       drops clients that have           provides process\n                                                and returns to SSA via                                    file for return to\n                                                                                 drops blank                                          previously received any            counts to OIM\n                                                        NDM                                                 GETERMAT\n                                                                                  addresses                                               type of PEBES\n\n\n               The address request goes out on Tuesday\n                                                                                                                     Unmatched\n              evening and the IRS returns the data by the                    1B                                                             1A\n                                                                                                                       record\n                              following Monday morning\n\n\n\n\n                                                                                                     GEKEYSER\n                GEKEYSER (daily)                                     GEKEYSER sends                                      GEKEYSER performs           GEKEYSER provides\n                                         GEKEYSER reads                                           checks MULTEX\n                 merges mailing                                        "MEF Finder"                                       edit checks & writes        file of consolidated\n                                            ORPEBES                                                 file for known                                                                   2A\n                 addresses with                                       Request to MEF                                           rejections or         input transactions to\n                                           transactions                                           multiple account\n                  transactions                                         Nightly Search                                      exceptions to file                  OIM\n                                                                                                  numbers (SSNs)\n  10/15/99\n 04:13 PM                                                                                                                                                                                 Sheet 1/3\n                                                                                         E-2\n\x0c                                                            SIPEBES Process (Continued)\n\n                                                                                                                                             GEPEBCON (daily)\n                    GEPEBFUL (daily) reads in             GEPEBFUL performs edit             GEPEBFUL extracts SSNs for\n                                                                                                                                             establishes records\n                    PEBES input, MEF records,              checks and writes valid            pending claims from SSACS\n2A                                                                                                                                             for new PEBES\n                  exception feedback from OCRO,         records to output file (sorted &     and WMS and writes to files for\n                                                                                                                                             requests on PEBES\n                   & NUMIDENT verification data           fanned into 20 segments)               input to GEPEBCON\n                                                                                                                                                 Master File\n\n\n\n\n                                                                                                                                                                First day\n                                                                              Pending claim                1A                                                                      2A\n                                                                                                                                                             in Master File\n\n\n                                 GEPEBCON matches                                                                          GEPEBCON\n     GEPEBCON rechecks                                             GEPEBCON                 GEPEBCON drops                                     GEPEBCON generates\n                                PEBES records against                                                                       processes\n     MBR and drops clients                                      transfers currently          previously pending                                "NUMIDENT verification\n                                SSNs for pending claims                                                                 previously pending\n       that have gone to                                         pending claims to         claims that have gone                                  finder" to look for\n                               in WMS & SSACS extract                                                                    claims that have\n         benefit status                                            circulating file             to pay status                                       multiple SSNs\n                                         files                                                                             been denied\n\n                                                                                                                                                                  Exception        1B\n                                                                       After first day in Master File\n\n\n                                    GEPEBCON\n                                                              GEPEBCON prepares                    GEPEBCON                      GEPEBCON                   GEPEBCON\n     GEPEBCON matches            generates additional\n                                                             OCRO request for relevant          processes replies to          processes OCRO            transfers exceptions\n     MEF data to PEBES            "MEF Finder" for\n                                                               old-start data or wage          previous NUMIDENT                feedback from               to Exception/\n        Master record           records that have not\n                                                                adjustment records               verification finders        previous exceptions           Completion File\n                                      arrived\n\n\n\n\n                                                                                                                                     GESAFEAL (daily)\n                                                                                  GEGATHER               GEGATHER sends\n       GEPEBCON               GEPEBCON            GEPEBCON writes                                                                      sends completed                 GESAFEAL\n                                                                                  (daily) routes        file of PEBES counts\n      checks insured            performs          completed PEBES                                                                          PEBES                     updates PEBES\n                                                                                  GEPEBCON                      to OIM\n          status              computations          to output file                                                                   transactions to print              history file\n                                                                                     output                    via NDM\n                                                                                                                                          contractor\n\n\n\n\n                               MIPEBES generates\n      OIM enters GESS                                       OIM uses WP Macro to                                           OCOMM Provides\n                              "PSIW01" report with                                            OCOMM obtains\n        data & annual                                        convert PSIW01 report                                       Performance Measure to\n                             annual SIPEBES targets                                          data from EMIS &                                                                 3A\n     NUMIDENT merge                                         to .PDF format & places                                       OFPO for inclusion in\n                              & weekly, MTD & YTD                                            computes PM #9\n     data into MIPEBES                                         on EMIS (intranet)                                         Accountability Report\n                                     counts\n\n               The input file from GESS is titled\n               "LNK.P6909.OIMCOUNT.PEBCON.R&RUNDATE"                                  E-3\n10/15/99\n04:14 PM                                                                                                                                                                                Sheet 2/3\n\x0c                                                           SIPEBES Process (Continued)\n\n\n3A\n\n\n\n\n                                                                                           Contractor verifies   Contractor verifies\n          Print Management          Print Management           Contractor verifies\n                                                                                           PEBES addresses         PEBES using\n       obtains daily counts from    faxes transaction         counts received via                                                       Contractor sorts\n                                                                                           using the National    Coding Accuracy\n        CLM.GE.PEBES.GE            counts to contractor       fax vs. counts rec\'d                                                     PEBES by zip code\n                                                                                           Change of Address      Support System\n        COUNTS file in GESS               (Daily)                  via tape\n                                                                                                System               (CASS)\n\n\n\n\n                                                                                              Undelivered\n        Postal Service             US Postal Service             Mail routed to                                     Undelivered          Undelivered\n                                                                                           PEBES returned to\n       weighs PEBES at             provides verification        relevant postal                                     PEBES are            PEBES are\n                                                                                            Office of Central\n        contractor site             of counts to SSA              stations for                                   weighed to estimate     destroyed by\n                                                                                           Operations (Metro\n            (Daily)                      (Daily)                  distribution                                         count              shredding\n                                                                                                 West)\n\n\n\n\n              End\n\n\n\n\n                                                                                     E-4\n10/15/99\n04:22 PM                                                                                                                                                Sheet 3/3\n\x0c'